Merge branch 'release/1.4.0'

.gitignore

@@ -1,6 +1,5 @@
 # Compiled files
-*.tfstate
-*.tfstate.backup
+*.tfstate*
 
 # Module directory
 .terraform/

CHNAGELOG.md

@@ -6,6 +6,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+## [1.4.0] - 2018-08-09
+### Added
+- Added an option to allow gitlab runner instance to create service linked roles, by default enabled.
+- Added example for public subnet
+
 ## [1.3.0] - 2018-08-08
 - Add option to run runners in public subnet
 
@@ -55,7 +60,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Update default AMI's to The latest Amazon Linux AMI 2017.09.1 - released on 2018-01-17.
 - Minor updates in the example
 
-[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/1.3.0...HEAD
+[Unreleased]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/1.4.0...HEAD
+[1.4.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/1.3.0...1.4.0
 [1.3.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/1.2.1...1.3.0
 [1.2.1]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/1.2.0...1.2.1
 [1.2.0]: https://github.com/npalm/terraform-aws-gitlab-runner/compare/1.1.0...1.2.0

README.md

@@ -30,11 +30,11 @@ export AWS_SECRET_ACCESS_KEY=...
 ```
 
 ### Service linked roles
-Currently the ec2 instance role does not allow creation of service linked roles. The runner instances is depended on the following two service linked roles:
+The gitlab runner ec2 instance needs the following sercice linked roles:
 - AWSServiceRoleForAutoScaling
 - AWSServiceRoleForEC2Spot
 
-You can create them manually or via terraform.
+By default the ec2 instance is allowed to create the roles, by setting the option `allow_iam_service_linked_role_creation` to `false` you can deny the creation of roles by the instance. In that case you have to ensure the roles exists. You can create them manually or via terraform.
 
 ```
 resource "aws_iam_service_linked_role" "spot" {

examples/runner-default/README.md

@@ -0,0 +1,6 @@
+# Example - Runner - Private subnets
+
+Example how create a gitlab runner, running in a private subnet.
+
+## Prerequisite
+The terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using tfenv please check `.terraform-version` for the tested version.

examples/runner-public/.terraform-version

@@ -0,0 +1 @@
+0.11.7

examples/runner-public/README.md

@@ -0,0 +1,6 @@
+# Example - Runner - Public subnets
+
+Example how create a gitlab runner, running in a public subnet.
+
+## Prerequisite
+The terraform version is managed using [tfenv](https://github.com/Zordrak/tfenv). If you are not using tfenv please check `.terraform-version` for the tested version.

examples/runner-public/key.tf

@@ -0,0 +1,25 @@
+resource "tls_private_key" "ssh" {
+  algorithm = "RSA"
+}
+
+resource "local_file" "public_ssh_key" {
+  depends_on = ["tls_private_key.ssh"]
+
+  content  = "${tls_private_key.ssh.public_key_openssh}"
+  filename = "${var.public_ssh_key_filename}"
+}
+
+resource "local_file" "private_ssh_key" {
+  depends_on = ["tls_private_key.ssh"]
+
+  content  = "${tls_private_key.ssh.private_key_pem}"
+  filename = "${var.private_ssh_key_filename}"
+}
+
+resource "null_resource" "file_permission" {
+  depends_on = ["local_file.private_ssh_key"]
+
+  provisioner "local-exec" {
+    command = "${format("chmod 600 %s", var.private_ssh_key_filename)}"
+  }
+}

examples/runner-public/main.tf

@@ -0,0 +1,40 @@
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "1.37.0"
+
+  name = "vpc-${var.environment}"
+  cidr = "10.1.0.0/16"
+
+  azs            = ["eu-west-1a"]
+  public_subnets = ["10.1.101.0/24"]
+
+  tags = {
+    Environment = "${var.environment}"
+  }
+}
+
+module "runner" {
+  source = "../../"
+
+  aws_region  = "${var.aws_region}"
+  environment = "${var.environment}"
+
+  ssh_public_key = "${local_file.public_ssh_key.content}"
+
+  runners_use_private_address = false
+
+  vpc_id                  = "${module.vpc.vpc_id}"
+  subnet_id_gitlab_runner = "${element(module.vpc.public_subnets, 0)}"
+  subnet_id_runners       = "${element(module.vpc.public_subnets, 0)}"
+
+  runners_name       = "${var.runner_name}"
+  runners_gitlab_url = "${var.gitlab_url}"
+  runners_token      = "${var.runner_token}"
+
+  runners_off_peak_timezone   = "Europe/Amsterdam"
+  runners_off_peak_idle_count = 0
+  runners_off_peak_idle_time  = 60
+
+  # working 9 to 5 :)
+  runners_off_peak_periods = "[\"* * 0-9,17-23 * * mon-fri *\", \"* * * * * sat,sun *\"]"
+}

examples/runner-public/providers.tf

@@ -0,0 +1,20 @@
+provider "aws" {
+  region  = "${var.aws_region}"
+  version = "1.23"
+}
+
+provider "template" {
+  version = "1.0"
+}
+
+provider "local" {
+  version = "1.1"
+}
+
+provider "null" {
+  version = "1.0"
+}
+
+provider "tls" {
+  version = "1.1"
+}

examples/runner-public/terraform.tfvars

@@ -0,0 +1,12 @@
+key_name = "gitlab-runner"
+
+environment = "runner-public"
+
+aws_region = "eu-west-1"
+
+# Add the following variables:
+runner_name = "docker.m3"
+
+gitlab_url = "https://gitlab.com"
+
+runner_token = "3939146918cced54ecf1dd08e6b87e"

examples/runner-public/variables.tf

@@ -0,0 +1,34 @@
+variable "aws_region" {
+  description = "AWS region."
+  type        = "string"
+  default     = "eu-west-1"
+}
+
+variable "environment" {
+  description = "A name that indentifies the environment, will used as prefix and for taggin."
+  default     = "ci-runners"
+  type        = "string"
+}
+
+variable "public_ssh_key_filename" {
+  default = "generated/id_rsa.pub"
+}
+
+variable "private_ssh_key_filename" {
+  default = "generated/id_rsa"
+}
+
+variable "runner_name" {
+  description = "Name of the runner, will be used in the runner config.toml"
+  type        = "string"
+}
+
+variable "gitlab_url" {
+  description = "URL of the gitlab instance to connect to."
+  type        = "string"
+}
+
+variable "runner_token" {
+  description = "Token for the runner, will be used in the runner config.toml"
+  type        = "string"
+}

main.tf

@@ -151,6 +151,9 @@ resource "aws_launch_configuration" "gitlab_runner_instance" {
   }
 }
 
+################################################################################
+### Trust policy
+################################################################################
 resource "aws_iam_instance_profile" "instance" {
   name = "${var.environment}-instance-profile"
   role = "${aws_iam_role.instance.name}"
@@ -165,6 +168,9 @@ resource "aws_iam_role" "instance" {
   assume_role_policy = "${data.template_file.instance_role_trust_policy.rendered}"
 }
 
+################################################################################
+### docker machine instance policy
+################################################################################
 data "template_file" "docker_machine_policy" {
   template = "${file("${path.module}/policies/instance-docker-machine-policy.json")}"
 }
@@ -177,7 +183,33 @@ resource "aws_iam_policy" "docker_machine" {
   policy = "${data.template_file.docker_machine_policy.rendered}"
 }
 
-resource "aws_iam_role_policy_attachment" "test-attach" {
+resource "aws_iam_role_policy_attachment" "docker_machine" {
   role       = "${aws_iam_role.instance.name}"
   policy_arn = "${aws_iam_policy.docker_machine.arn}"
 }
+
+################################################################################
+### Service linked policy, optional
+################################################################################
+data "template_file" "service_linked_role" {
+  count = "${var.allow_iam_service_linked_role_creation ? 1 : 0}"
+
+  template = "${file("${path.module}/policies/service-linked-role-create-policy.json")}"
+}
+
+resource "aws_iam_policy" "service_linked_role" {
+  count = "${var.allow_iam_service_linked_role_creation ? 1 : 0}"
+
+  name        = "${var.environment}-service_linked_role"
+  path        = "/"
+  description = "Policy for creation of service linked roles."
+
+  policy = "${data.template_file.service_linked_role.rendered}"
+}
+
+resource "aws_iam_role_policy_attachment" "service_linked_role" {
+  count = "${var.allow_iam_service_linked_role_creation ? 1 : 0}"
+
+  role       = "${aws_iam_role.instance.name}"
+  policy_arn = "${aws_iam_policy.service_linked_role.arn}"
+}

policies/service-linked-role-create-policy.json

@@ -0,0 +1,10 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "iam:CreateServiceLinkedRole",
+      "Resource": "arn:aws:iam::*:role/aws-service-role/*"
+    }
+  ]
+}

variables.tf

@@ -182,3 +182,8 @@ variable "tags" {
   description = "Map of tags that will be added to created resources. By default resources will be taggen with name and environemnt."
   default     = {}
 }
+
+variable "allow_iam_service_linked_role_creation" {
+  description = "Attach policy to runner instance to create service linked roles."
+  default     = true
+}